AUDITING THEORY AUDITING IN A COMPUTER

INFORMATION SYSTEMS (CIS) ENVIRONMENT

1. Which statement is incorrect when auditing in a CIS

environment?
A. A CIS environment exists when a computer of any type or
size is involved in the processing by the entity of financial
information of significance to the audit, whether that computer
is operated by the entity or by a third party.
B. The auditor should consider how a CIS environment affects
the audit.
C. The use of a computer changes the processing, storage and
communication of financial information and may affect the
accounting and internal control systems employed by the entity.
D. A CIS environment changes the overall objective and scope
of an audit.

2. Which of the following standards or group of standards is

mostly affected by a computerized information system
environment?
A. General standards c. Reporting standards
b. Second standard of field work d. Standards of fieldwork

3. Which of the following is least considered if the auditor has

to determine whether specialized CIS skills are needed in an
audit?
A. The auditor needs to obtain a sufficient understanding of the
accounting and internal control system affected by the CIS
environment.
B. The auditor needs to determine the effect of the CIS
environment on the assessment of overall risk and of risk at the
account balance and class of transactions level.
C. Design and perform appropriate tests of controls and
substantive procedures.
D. The need of the auditor to make analytical procedures during
the completion stage of audit.

4. It relates to materiality of the financial statement assertions

affected by the computer processing.
A. Threshold b. Relevance c. Complexity d. Significance

5. Which of the following least likely indicates a complexity of

computer processing?
A. Transactions are exchanged electronically with other
organizations without manual review of their propriety.
B. The volume of the transactions is such that users would find
it difficult to identify and correct errors in processing.
C. The computer automatically generates material transactions
or entries directly to another applications.
D. The system generates a daily exception report.

6. The nature of the risks and the internal characteristics in CIS

environment that the auditors are mostly concerned include the
following except:
a. Lack of segregation of functions. C. Lack of transaction
trails.
B. Dependence of other control over computer processing. D.
Cost-benefit ratio.
7. Which of the following is least likely a risk characteristic
associated with CIS environment?
A. Errors embedded in an application’s program logic maybe
difficult to manually detect on a timely basis.
B. Many control procedures that would ordinarily be performed
by separate individuals in manual system maybe concentrated in
CIS.
C. The potential unauthorized access to data or to alter them
without visible evidence maybe greater.
D. Initiation of changes in the master file is exclusively handled
by respective users.

8. Which of the following significance and complexity of the

CIS activities should an auditor least understand?
A. The organizational structure of the client’s CIS activities.
B. Lack of transaction trails.
C. The significance and complexity of computer processing in
each significant accounting application.
D. The use of software packages instead of customized software.

Page 2 of 15 AT-030507 PAPS 1001 – CIS Environments –

Stand-Alone Personal Computers

9. Which statement is correct regarding personal computer

systems?
A. Personal computers or PCs are economical yet powerful self-
contained general purpose computers consisting typically of a
central processing unit (CPU), memory, monitor, disk drives,
printer cables and modems.
B. Programs and data are stored only on non-removable storage
media.
C. Personal computers cannot be used to process accounting
transactions and produce reports that are essential to the
preparation of financial statements.
D. Generally, CIS environments in which personal computers
are used are the same with other CIS environments.

10. A personal computer can be used in various configurations,

including
a. A stand-alone workstation operated by a single user or a
number of users at different times.
B. A workstation which is part of a local area network of
personal computers.
C. A workstation connected to a server.
D. All of the above.

11. Which statement is incorrect regarding personal computer

configurations?
A. The stand-alone workstation can be operated by a single user
or a number of users at different times accessing the same or
different programs.
B. A stand-alone workstation may be referred to as a distributed
system.
C. A local area network is an arrangement where two or more
personal computers are linked together through the use of
special software and communication lines.
D. Personal computers can be linked to servers and used as part
of such systems, for example, as an intelligent on-line
workstation or as part of a distributed accounting system.

12. Which of the following is the least likely characteristic of

personal computers?
A. They are small enough to be transportable.
B. They are relatively expensive.
C. They can be placed in operation quickly.
D. The operating system software is less comprehensive than
that found in larger computer environments.

13. Which of the following is an inherent characteristic of

software package?
A. They are typically used without modifications of the
programs.
B. The programs are tailored-made according to the specific
needs of the user.
C. They are developed by software manufacturer according to a
particular user’s specifications.
D. It takes a longer time of implementation.

14. Which of the following is not normally a removable storage

media?
A. Compact disk c. Tapes
b. Diskettes d. Hard disk

15. It is a computer program (a block of executable code) that

attaches itself to a legitimate program or data file and uses its as
a transport mechanism to reproduce itself without the knowledge
of the user.
A. Virus c. System management program
b. Utility program d. Encryption

16. Which statement is incorrect regarding internal control in

personal computer environment?
A. Generally, the CIS environment in which personal computers
are used is less structured than a centrally-controlled CIS
environment.
B. Controls over the system development process and operations
may not be viewed by the developer, the user or management as
being as important or cost-effective.
C. In almost all commercially available operating systems, the
built-in security provided has gradually increased over the years.
D. In a typical personal computer environment, the distinction
between general CIS controls and CIS application controls is
easily ascertained.

17. Personal computers are susceptible to theft, physical

damage, unauthorized access or misuse of equipment. Which of
the following is least likely a physical security to restrict access
to personal computers when not in use?
A. Using door locks or other security protection during non-
business hours.
B. Fastening the personal computer to a table using security
cables.
C. Locking the personal computer in a protective cabinet or
shell.
D. Using anti-virus software programs.

Page 3 of 15 AT-030507

18. Which of the following is not likely a control over

removable storage media to prevent misplacement, alteration
without authorization or destruction?
A. Using cryptography, which is the process of transforming
programs and information into an unintelligible form.
B. Placing responsibility for such media under personnel whose
responsibilities include duties of software custodians or
librarians.
C. Using a program and data file check-in and check-out system
and locking the designated storage locations.
D. Keeping current copies of diskettes, compact disks or back-
up tapes and hard disks in a fireproof container, either on-site,
off-site or both.

19. Which of the following least likely protects critical and

sensitive information from unauthorized access in a personal
computer environment?
A. Using secret file names and hiding the files.
B. Keeping of back up copies offsite.
C. Employing passwords.
D. Segregating data into files organized under separate file
directories.
20. It refers to plans made by the entity to obtain access to
comparable hardware, software and data in the event of their
failure, loss or destruction.
A. Back-up b. Encryption c. Anti-virus d. Wide Area
Network (WAN)

21. The effect of personal computers on the accounting system

and the associated risks will least likely depend on
a. The extent to which the personal computer is being used to
process accounting applications.
B. The type and significance of financial transactions being
processed.
C. The nature of files and programs utilized in the applications.
D. The cost of personal computers.

22. The auditor may often assume that control risk is high in
personal computer systems since , it may not be practicable or
cost-effective for management to implement sufficient controls
to reduce the risks of undetected errors to a minimum level.
This least likely entail
a. More physical examination and confirmation of assets.
B. More analytical procedures than tests of details.
C. Larger sample sizes.
D. Greater use of computer-assisted audit techniques, where
appropriate.

PAPS 1002 – CIS Environments – On-Line Computer Systems

23. Computer systems that enable users to access data and
programs directly through workstations are referred to as
a. On-line computer systems c. Personal computer systems
b. Database management systems (DBMS) d. Database
systems

24. On-line systems allow users to initiate various functions

directly. Such functions include:
I. Entering transactions III. Requesting reports II. Making
inquiries IV. Updating master files
a. I, II, III and IV c. I and II b. I, II and III d. I and IV

25. Many different types of workstations may be used in on-line

computer systems. The functions performed by these
workstations least likely depend on their
a. Logic b. Transmission c. Storage d. Cost

26. Types of workstations include General Purpose Terminals

and Special Purpose Terminals. Special Purpose Terminals
include
a. Basic keyboard and monitor c. Point of sale devices
b. Intelligent terminal d. Personal computers

27. Special Purpose Terminal used to initiate, validate, record,

transmit and complete various banking transactions
a. Automated teller machines c. Intelligent terminal
b. Point of sale devices d. Personal computers

28. Which statement is incorrect regarding workstations?

A. Workstations may be located either locally or at remote sites.
B. Local workstations are connected directly to the computer
through cables.
C. Remote workstations require the use of telecommunications
to link them to the computer.
d. Workstations cannot be used by many users, for different
purposes, in different locations, all at the same time.

29. On-line computer systems may be classified according to

a. How information is entered into the system.
B. How it is processed.
C. When the results are available to the user.
D. All of the above.

30. In an on-line/real time processing system

a. Individual transactions are entered at workstations, validated
and used to update related computer files immediately.
B. Individual transactions are entered at a workstation, subjected
to certain validation checks and added to a transaction file that
contains other transactions entered during the period.
C. Individual transactions immediately update a memo file
containing information which has been extracted from the most
recent version of the master file.
D. The master files are updated by other systems.

31. It combines on-line/real time processing and on-line/batch

processing.
A. On-Line/Memo Update (and Subsequent Processing)
b. On-Line Downloading/Uploading Processing
c. On-Line/Inquiry
d. On-Line/Combined Processing

32. It is a communication system that enables computer users to

share computer equipment, application software, data and voice
and video transmissions.
A. Network b. File server c. Host d. Client

33. A type of network that multiple buildings are close enough

to create a campus, but the space between the buildings is not
under the control of the company is
a. Local Area Network (LAN) c. Metropolitan Area
Network (MAN)
b. Wide Area Network (WAN) d. World Wide Web
(WWW)

34. Which of the following is least likely a characteristic of

Wide Area Network (WAN)?
A. Created to connect two or more geographically separated
LANs.
B. Typically involves one or more long-distance providers, such
as a telephone company to provide the connections.
C. WAN connections tend to be faster than LAN.
D. Usually more expensive than LAN.

35. Gateway is
a. A hardware and software solution that enables
communications between two dissimilar networking systems or
protocols.
B. A device that forwards frames based on destination
addresses.
C. A device that connects and passes packets between two
network segments that use the same communication protocol.
D. A device that regenerates and retransmits the signal on a
network.

36. A device that works to control the flow of data between two
or more network segments
a. Bridge b. Router c. Repeater d. Switch

37. The undesirable characteristics of on-line computer systems

least likely include
a. Data are usually subjected to immediate validation checks.
B. Unlimited access of users to all of the functions in a
particular application.
C. Possible lack of visible transaction trail.
D. Potential programmer access to the system.

38. Certain general CIS controls that are particularly important

to on-line processing least likely include a. Access controls.
B. System development and maintenance controls.
C. Edit, reasonableness and other validation tests.
D. Use of anti-virus software program.

39. Certain CIS application controls that are particularly

important to on-line processing least likely include
a. Pre-processing authorization. C. Transaction logs.
B. Cut-off procedures. D. Balancing.
40. Risk of fraud or error in on-line systems may be reduced in
the following circumstances, except
a. If on-line data entry is performed at or near the point where
transactions originate, there is less risk that the transactions will
not be recorded.
B. If invalid transactions are corrected and re-entered
immediately, there is less risk that such transactions will not be
corrected and re-submitted on a timely basis.
C. If data entry is performed on-line by individuals who
understand the nature of the transactions involved, the data entry
process may be less prone to errors than when it is performed by
individuals unfamiliar with the nature of the transactions.
D. On-line access to data and programs through
telecommunications may provide greater opportunity for access
to data and programs by unauthorized persons.

41. Risk of fraud or error in on-line computer systems may be

increased for the following reasons, except
a. If workstations are located throughout the entity, the
opportunity for unauthorized use of a workstation and the entry
of unauthorized transactions may increase.
B. Workstations may provide the opportunity for unauthorized
uses such as modification of previously entered transactions or
balances.
C. If on-line processing is interrupted for any reason, for
example, due to faulty telecommunications, there may be a
greater chance that transactions or files may be lost and that the
recovery may not be accurate and complete.
D. If transactions are processed immediately on-line, there is
less risk that they will be processed in the wrong accounting
period.

42. The following matters are of particular importance to the

auditor in an on-line computer system, except
a. Authorization, completeness and accuracy of on-line
transactions.
B. Integrity of records and processing, due to on-line access to
the system by many users and programmers.
C. Changes in the performance of audit procedures including the
use of CAAT’s.
d. Cost-benefit ratio of installing on-line computer system.
PAPS 1003 – CIS Environments – Database Systems

43. A collection of data that is shared and used by a number of

different users for different purposes.
A. Database b. Information file c. Master file d.
Transaction file

44. Which of the following is least likely a characteristic of a

database system?
A. Individual applications share the data in the database for
different purposes.
B. Separate data files are maintained for each application and
similar data used by several applications may be repeated on
several different files.
C. A software facility is required to keep track of the location of
the data in the database.
D. Coordination is usually performed by a group of individuals
whose responsibility is typically referred to as “database
administration.”

45. Database administration tasks typically include

I. Defining the database structure.
II. Maintaining data integrity, security and completeness.
III. Coordinating computer operations related to the database.
IV. Monitoring system performance.
V. Providing administrative support.
A. All of the above b. All except I c. II and V only. d.
II, III and V only

46. Due to data sharing, data independence and other

characteristics of database systems
a. General CIS controls normally have a greater influence than
CIS application controls on database systems.
B. CIS application controls normally have a greater influence
than general CIS controls on database systems.
C. General CIS controls normally have an equal influence with
CIS application controls on database systems.
D. CIS application controls normally have no influence on
database systems.

47. Which statement is incorrect regarding the general CIS

controls of particular importance in a database environment?
A. Since data are shared by many users, control may be
enhanced when a standard approach is used for developing each
new application program and for application program
modification.
b. Several data owners should be assigned responsibility for
defining access and security rules, such as who can use the data
(access) and what functions they can perform (security).
C. User access to the database can be restricted through the use
of passwords.
D. Responsibilities for performing the various activities required
to design, implement and operate a database are divided among
technical, design, administrative and user personnel.

48. These require a database administrator to assign security

attributes to data that cannot be changed by database users.
A. Discretionary access controls c. Name-dependent
restrictions
b. Mandatory access controls d. Content-dependent
restrictions.

49. A discretionary access control wherein users are permitted or

denied access to data resource depending on the time series of
accesses to and actions they have undertaken on data resources.
A. Name-dependent restrictions c. Context-dependent
restriction
b. Content-dependent restriction d. History-dependent
restriction

50. The effect of a database system on the accounting system

and the associated risks will least likely depend on:
a. The extent to which databases are being used by accounting
applications.
B. The type and significance of financial transactions being
processed.
C. The nature of the database, the DBMS, the database
administration tasks and the applications.
D. The CIS application controls.

51. Audit procedures in a database environment will be affected

principally by
a. The extent to which the data in the database are used by the
accounting system.
B. The type and significance of financial transactions being
processed.
C. The nature of the database, the DBMS, the database
administration tasks and the applications.
D. The general CIS controls which are particularly important in
a database environment.

PAPS 1008 – Risk Assessments and Internal Control – CIS

Characteristics and Considerations

52. Which statement is incorrect regarding the characteristics of

a CIS organizational structure?
A. Certain data processing personnel may be the only ones with
a detailed knowledge of the interrelationship between the source
of data, how it is processed and the distribution and use of the
output.
B. Many conventional controls based on adequate segregation of
incompatible functions may not exist, or in the absence of access
and other controls, may be less effective.
C. Transaction and master file data are often concentrated,
usually in machine-readable form, either in one computer
installation located centrally or in a number of installations
distributed throughout an entity.
D. Systems employing CIS methods do not include manual
operations since the number of persons involved in the
processing of financial information is significantly reduced.

53. System characteristics that may result from the nature of CIS
processing include, except
a. Absence of input documents.
B. Lack of visible transaction trail.
C. Lack of visible output.
D. Difficulty of access to data and computer programs.

54. The development of CIS will generally result in design and

procedural characteristics that are different from those found in
manual systems. These different design and procedural aspects
of CIS include, except:
a. Consistency of performance.
B. Programmed control procedures.
C. Vulnerability of data and program storage media
d. Multiple transaction update of multiple computer files or
databases.
55. Which statement is incorrect regarding internal controls in a
CIS environment?
A. Manual and computer control procedures comprise the
overall controls affecting the CIS environment (general CIS
controls) and the specific controls over the accounting
applications (CIS application controls).
b. The purpose of general CIS controls is to establish a
framework of overall control over the CIS activities and to
provide a reasonable level of assurance that the overall
objectives of internal control are achieved.
C. The purpose of CIS application controls is to establish
specific control procedures over the application systems in order
to provide reasonable assurance that all transactions are
authorized and recorded, and are processed completely,
accurately and on a timely basis.
D. The internal controls over computer processing, which help
to achieve the overall objectives of internal control, include only
the procedures designed into computer programs.

56. General CIS controls may include, except:

a. Organization and management controls. C. Delivery and
support controls.
B. Development and maintenance controls. D. Controls over
computer data files.

57. CIS application controls include, except

a. Controls over input.
B. Controls over processing and computer data files.
C. Controls over output.
D. Monitoring controls.

58. Which statement is incorrect regarding the review of general

CIS controls and CIS application controls?
A. The auditor should consider how these general CIS controls
affect the CIS applications significant to the audit.
B. General CIS controls that relate to some or all applications
are typically interdependent controls in that their operation is
often essential to the effectiveness of CIS application controls.
C. Control over input, processing, data files and output may be
carried out by CIS personnel, by users of the system, by a
separate control group, or may be programmed into application
software.
D. It may be more efficient to review the design of the
application controls before reviewing the general controls.

59. Which statement is incorrect regarding the evaluation of

general CIS controls and CIS application controls?
A. The general CIS controls may have a pervasive effect on the
processing of transactions in application systems.
B. If general CIS controls are not effective, there may be a risk
that misstatements might occur and go undetected in the
application systems.
C. Manual procedures exercised by users may provide effective
control at the application level.
D. Weaknesses in general CIS controls cannot preclude testing
certain CIS application controls.

PAPS 1009 – Computer-Assisted Audit Techniques (CAATs)

60. The applications of auditing procedures using the computer
as an audit tool refer to
a. Integrated test facility c. Auditing through the computer
b. Data-based management system d. Computer assisted
audit techniques

61. Which statement is incorrect regarding CAATs?

A. CAATs are often an efficient means of testing a large number
of transactions or controls over large populations.
B. To ensure appropriate control procedures, the presence of the
auditor is not necessarily required at the computer facility during
the running of a CAAT.
C. The general principles outlined in PAPS 1009 apply in small
entity IT environments.
D. Where smaller volumes of data are processed, the use of
CAATs is more cost effective.

62. Consists of generalized computer programs designed to

perform common audit tasks or standardized data processing
functions.
A. Package or generalized audit software c. Utility programs
b. Customized or purpose-written programs d. System
management programs

63. Audit automation least likely include

a. Expert systems.
B. Tools to evaluate a client’s risk management procedures.
C. Manual working papers.
D. Corporate and financial modeling programs for use as
predictive audit tests.

Page 8 of 15 AT-030507
QUIZZERS
1. An internal auditor noted the following points when
conducting a preliminary survey in connection with the audit of
an EDP department. Which of the following would be
considered a safeguard in the control system on which the
auditor might rely?
A. Programmers and computer operators correct daily
processing problems as they arise.
B. The control group works with user organizations to correct
rejected input.
C. New systems are documented as soon as possible after they
begin processing live data.
D. The average tenure of employees working in the EDP
department is ten months.

2. An on-line access control that checks whether the user’s code

number is authorized to initiate a specific type of transaction or
inquiry is referred to as
a. Password c. Compatibility test
b. Limit check d. Reasonableness test
3. A control procedure that could be used in an on-line system to
provide an immediate check on whether an account number has
been entered on a terminal accurately is a
a. Compatibility test c. Record count
b. Hash total d. Self-checking digit

4. A control designed to catch errors at the point of data entry is

a. Batch total c. Self-checking digit
b. Record count d. Checkpoints

5. Program documentation is a control designed primarily to

ensure that
a. Programmers have access to the tape library or information on
disk files.
B. Programs do not make mathematical errors.
C. Programs are kept up to date and perform as intended.
D. Data have been entered and processed.

6. Some of the more important controls that relate to automated

accounting information systems are validity checks, limit
checks, field checks, and sign tests. These are classified as
a. Control total validation routines c. Output controls
b. Hash totaling d. Input validation routines

7. Most of today’s computer systems have hardware controls

that are built in by the computer manufacturer. Common
hardware controls are
a. Duplicate circuitry, echo check, and internal header labels
b. Tape file protection, cryptographic protection, and limit
checks
c. Duplicate circuitry, echo check, and dual reading
d. Duplicate circuitry, echo check, tape file protection, and
internal header labels

8. Computer manufacturers are now installing software

programs permanently inside the computer as part of its main
memory to provide protection from erasure or loss if there is
interrupted electrical power. This concept is known as a. File
integrity c. Random access memory (RAM) b. Software
control d. Firmware

9. Which one of the following represents a lack of internal

control in a computer-based information system?
A. The design and implementation is performed in accordance
with management’s specific authorization.
B. Any and all changes in application programs have the
authorization and approval of management.
C. Provisions exist to protect data files from unauthorized
access, modification, or destruction.
D. Both computer operators and programmers have unlimited
access to the programs and data files.

10. In an automated payroll processing environment, a

department manager substituted the time card for a terminated
employee with a time card for a fictitious employee. The
fictitious employee had the same pay rate and hours worked as
the terminated employee. The best control technique to detect
this action using employee identification numbers would be a
a. Batch total b. Hash total c. Record count d.
Subsequent check

11. An employee in the receiving department keyed in a

shipment from a remote terminal and inadvertently omitted the
purchase order number. The best systems control to detect this
error would be
a. Batch total c. Sequence check
b. Completeness test d. Reasonableness test

12. The reporting of accounting information plays a central role

in the regulation of business operations. Preventive controls are
an integral part of virtually all accounting processing systems,
and much of the information generated by the accounting system
is used for preventive control purposes. Which one of the
following is not an essential element of a sound preventive
control system?
A. Separation of responsibilities for the recording, custodial,
and authorization functions.
B. Sound personnel policies.
C. Documentation of policies and procedures.
D. Implementation of state-of-the-art software and hardware.

13. The most critical aspect regarding separation of duties within

information systems is between a. Project leaders and
programmers c. Programmers and systems analysts
b. Programmers and computer operators d. Data control
and file librarians

14. Whether or not a real time program contains adequate

controls is most effectively determined by the use of
a. Audit software c. A tracing routine
b. An integrated test facility d. A traditional test deck

15. Compatibility tests are sometimes employed to determine

whether an acceptable user is allowed to proceed. In order to
perform compatibility tests, the system must maintain an access
control matrix. The one item that is not part of an access control
matrix is a a. List of all authorized user code numbers and
passwords. B. List of all files maintained on the system. C.
Record of the type of access to which each user is entitled. D.
Limit on the number of transaction inquiries that can be made by
each user in a specified time period.

16. Which one of the following input validation routines is not

likely to be appropriate in a real time operation?
A. Field check c. Sequence check
b. Sign check d. Redundant data check

17. Which of the following controls is a processing control

designed to ensure the reliability and accuracy of data
processing?
Limit test Validity check test
a. Yes Yes
b. No No
c. No Yes
d. Yes No

18. Which of the following characteristics distinguishes

computer processing from manual processing? A. Computer
processing virtually eliminates the occurrence of computational
error normally associated with manual processing.
B. Errors or irregularities in computer processing will be
detected soon after their occurrences.
C. The potential for systematic error is ordinarily greater in
manual processing than in computerized processing.
D. Most computer systems are designed so that transaction trails
useful for audit do not exist.

19. Which of the following most likely represents a significant

deficiency in the internal control structure?
A. The systems analyst review applications of data processing
and maintains systems documentation.
B. The systems programmer designs systems for computerized
applications and maintains output controls.
C. The control clerk establishes control over data received by
the EDP department and reconciles control totals after
processing
d. The accounts payable clerk prepares data for computer
processing and enters the data into the computer.

20. Which of the following activities would most likely be

performed in the EDP Department?
A. Initiation of changes to master records.
B. Conversion of information to machine-readable form.
C. Correction of transactional errors.
D. Initiation of changes to existing applications.

21. For control purposes, which of the following should be

organizationally segregated from the computer operations
function?
A. Data conversion c. Systems development
b. Surveillance of CRT messages d. Minor maintenance
according to a schedule

22. Which of the following is not a major reason for maintaining

an audit trail for a computer system?
A. Deterrent to irregularities c. Analytical procedures
b. Monitoring purposes d. Query answering

23. In an automated payroll system, all employees in the

finishing department were paid the rate of P75 per hour when
the authorized rate was P70 per hour. Which of the following
controls would have been most effective in preventing such an
error?
A. Access controls which would restrict the personnel
department’s access to the payroll master file data.
B. A review of all authorized pay rate changes by the personnel
department.
C. The use of batch control totals by department.
D. A limit test that compares the pay rates per department with
the maximum rate for all employees.
24. Which of the following errors would be detected by batch
controls?
A. A fictitious employee as added to the processing of the
weekly time cards by the computer operator.
B. An employee who worked only 5 hours in the week was paid
for 50 hours.
C. The time card for one employee was not processed because it
was lost in transit between the payroll department and the data
entry function.
D. All of the above.

25. The use of a header label in conjunction with magnetic tape

is most likely to prevent errors by the
a. Computer operator c. Computer programmer
b. Keypunch operator d. Maintenance technician

26. For the accounting system of ACME Company, the amounts

of cash disbursements entered into an EDP terminal are
transmitted to the computer that immediately transmits the
amounts back to the terminal for display on the terminal screen.
This display enables the operator to
a. Establish the validity of the account number
b. Verify the amount was entered accurately
c. Verify the authorization of the disbursements
d. Prevent the overpayment of the account

27. When EDP programs or files can be accessed from

terminals, users should be required to enter a(an) a. Parity
check c. Self-diagnostic test
b. Personal identification code d. Echo check

28. The possibility of erasing a large amount of information

stored on magnetic tape most likely would be reduced by the use
of
a. File protection ring c. Completeness tests
b. Check digits d. Conversion verification

29. Which of the following controls most likely would assure

that an entity can reconstruct its financial records?
A. Hardware controls are built into the computer by the
computer manufacturer.
B. Backup diskettes or tapes of files are stored away from
originals.
C. Personnel who are independent of data input perform parallel
simulations.
D. System flowcharts provide accurate descriptions of input and
output operations.

30. Mill Co. uses a batch processing method to process its sales
transactions. Data on Mill’s sales transaction tape are
electronically sorted by customer number and are subject to
programmed edit checks in preparing its invoices, sales journals,
and updated customer account balances. One of the direct
outputs of the creation of this tape most likely would be a
A. Report showing exceptions and control totals.
B. Printout of the updated inventory records.
C. Report showing overdue accounts receivable.
D. Printout of the sales price master file.
31. Using microcomputers in auditing may affect the methods
used to review the work of staff assistants because
a. The audit field work standards for supervision may differ.
B. Documenting the supervisory review may require assistance
of consulting services personnel.
C. Supervisory personnel may not have an understanding of the
capabilities and limitations of microcomputers.
D. Working paper documentation may not contain readily
observable details of calculations.

32. An auditor anticipates assessing control risk at a low level in

a computerized environment. Under these circumstances, on
which of the following procedures would the auditor initially
focus?
A. Programmed control procedures c. Output control
procedures
b. Application control procedures d. General control
procedures

33. After the preliminary phase of the review of a client’s EDP

controls, an auditor may decide not to perform tests of controls
(compliance tests) related to the control procedures within the
EDP portion of the client’s internal control structure. Which of
the following would not be a valid reason for choosing to omit
such tests?
A. The controls duplicate operative controls existing elsewhere
in the structure.
B. There appear to be major weaknesses that would preclude
reliance on the stated procedure.
C. The time and costs of testing exceed the time and costs in
substantive testing if the tests of controls show the controls to
be operative.
D. The controls appear adequate.

34. Which of the following client electronic data processing

(EDP) systems generally can be audited without examining or
directly testing the EDP computer programs of the system?
A. A system that performs relatively uncomplicated processes
and produces detailed output.
B. A system that affects a number of essential master files and
produces a limited output.
C. A system that updates a few essential master files and
produces no printed output other than final balances.
D. A system that performs relatively complicated processing
and produces very little detailed output.

35. Computer systems are typically supported by a variety of

utility software packages that are important to an auditor
because they
a. May enable unauthorized changes to data files if not properly
controlled.
B. Are very versatile programs that can be used on hardware of
many manufacturers.
C. May be significant components of a client’s application
programs.
D. Are written specifically to enable auditors to extract and sort
data.

36. To obtain evidence that online access controls are properly

functioning, an auditor most likely would
a. Create checkpoints at periodic intervals after live data
processing to test for unauthorized use of the system.
B. Examine the transaction log to discover whether any
transactions were lost or entered twice due to a system
malfunction
c. Enter invalid identification numbers or passwords to ascertain
whether the system rejects them.
D. Vouch a random sample of processed transactions to assure
proper authorization

37. Which of the following statements most likely represents a

disadvantage for an entity that keeps microcomputer-prepared
data files rather than manually prepared files?
A. Attention is focused on the accuracy of the programming
process rather than errors in individual transactions.
B. It is usually easier for unauthorized persons to access and
alter the files.
C. Random error associated with processing similar transactions
in different ways is usually greater.
D. It is usually more difficult to compare recorded
accountability with physical count of assets.

38. An auditor would least likely use computer software to

a. Access client data files c. Assess EDP controls
b. Prepare spreadsheets d. Construct parallel simulations

39. A primary advantage of using generalized audit software

packages to audit the financial statements of a client that uses an
EDP system is that the auditor may
a. Consider increasing the use of substantive tests of
transactions in place of analytical procedures.
B. Substantiate the accuracy of data through self-checking
digits and hash totals.
C. Reduce the level of required tests of controls to a relatively
small amount.
D. Access information stored on computer files while having a
limited understanding of the client’s hardware and software
features.

40. Auditors often make use of computer programs that perform

routine processing functions such as sorting and merging. These
programs are made available by electronic data processing
companies and others and are specifically referred to as
a. Compiler programs c. Utility programs
b. Supervisory programs d. User programs

41. Smith Corporation has numerous customers. A customer

file is kept on disk storage. Each customer file contains name,
address, credit limit, and account balance. The auditor wishes to
test this file to determine whether the credit limits are being
exceeded. The best procedure for the auditor to follow would be
to
a. Develop test data that would cause some account balances to
exceed the credit limit and determine if the system properly
detects such situations.
B. Develop a program to compare credit limits with account
balances and print out the details of any account with a balance
exceeding its credit limit.
C. Request a printout of all account balances so they can be
manually checked against the credit limits.
D. Request a printout of a sample of account balances so they
can be individually checked against the credit limits.

42. The use of generalized audit software package

a. Relieves an auditor of the typical tasks of investigating
exceptions, verifying sources of information, and evaluating
reports.
B. Is a major aid in retrieving information from computerized
files.
C. Overcomes the need for an auditor to learn much about
computers.
D. Is a form of auditing around the computer.

43. An auditor used test data to verify the existence of controls

in a certain computer program. Even though the program
performed well on the test, the auditor may still have a concern
that
a. The program tested is the same one used in the regular
production runs.
B. Generalized audit software may have been a better tool to
use.
C. Data entry procedures may change and render the test
useless.
D. The test data will not be relevant in subsequent audit periods.

44. An auditor most likely would introduce test data into a

computerized payroll system to test internal controls related to
the
a. Existence of unclaimed payroll checks held by supervisors.
B. Early cashing of payroll checks by employees.
C. Discovery of invalid employee I.D. numbers.
D. Proper approval of overtime by supervisors.

45. When an auditor tests a computerized accounting system,

which of the following is true of the test data approach?
A. Test data must consist of all possible valid and invalid
conditions.
B. The program tested is different from the program used
throughout the year by the client.
C. Several transactions of each type must be tested.
D. Test data are processed by the client’s computer programs
under the auditor’s control.

46. Which of the following statements is not true to the test data
approach when testing a computerized accounting system?
A. The test need consist of only those valid and invalid
conditions which interest the auditor
b. Only one transaction of each type need be tested.
C. The test data must consist of all possible valid and invalid
conditions.
D. Test data are processed by the client’s computer programs
under the auditor’s control.

47. Which of the following is not among the errors that an

auditor might include in the test data when auditing a client’s
EDP system?
A. Numeric characters in alphanumeric fields. B. Authorized
code.
c. Differences in description of units of measure. D. Illogical
entries in fields whose logic is tested by programmed
consistency checks.

48. An auditor who is testing EDP controls in a payroll system

would most likely use test data that contain conditions such as
a. Deductions not authorized by employees.
B. Overtime not approved by supervisors.
C. Time tickets with invalid job numbers.
D. Payroll checks with unauthorized signatures.

49. Auditing by testing the input and output of an EDP system

instead of the computer program itself will
a. Not detect program errors which do not show up in the output
sampled.
B. Detect all program errors, regardless of the nature of the
output.
C. Provide the auditor with the same type of evidence.
D. Not provide the auditor with confidence in the results of the
auditing procedures.
50. Which of the following computer-assisted auditing
techniques allows fictitious and real transactions to be processed
together without client operating personnel being aware of the
testing process?
A. Integrated test facility c. Parallel simulation
b. Input controls matrix d. Data entry monitor

51. Which of the following methods of testing application

controls utilizes a generalized audit software package prepared
by the auditors?
A. Parallel simulation c. Test data approach
b. Integrated testing facility approach d. Exception report
tests

52. Misstatements in a batch computer system caused by

incorrect programs or data may not be detected immediately
because
a. Errors in some transactions may cause rejection of other
transactions in the batch.
B. The identification of errors in input data typically is not part
of the program.
C. There are time delays in processing transactions in a batch
system.
D. The processing of transactions in a batch system is not
uniform.

53. Which of the following is not a characteristic of a batch

processed computer system?
A. The collection of like transactions which are sorted and
processed sequentially against a master file.
B. Keypunching of transactions, followed by machine
processing.
C. The production of numerous printouts.
D. The posting of a transaction, as it occurs, to several files,
without immediate printouts.

54. Where disk files are used, the grandfather-father-son

updating backup concept is relatively difficult to implement
because the
a. Location of information points on disks is an extremely time
consuming task.
B. Magnetic fields and other environmental factors cause off-
site storage to be impractical.
C. Information must be dumped in the form of hard copy if it is
to be reviewed before used in updating.
D. Process of updating old records is destructive.

55. An auditor would most likely be concerned with which of

the following controls in a distributed data processing system?
A. Hardware controls c. Access controls
b. Systems documentation controls d. Disaster

56. If a control total were computed on each of the following

data items, which would best be identified as a hash total for a
payroll EDP application?
A. Total debits and total credits c. Department numbers
b. Net pay d. Hours worked
57. Which of the following is a computer test made to ascertain
whether a given characteristic belongs to the group?
A. Parity check c. Echo check
b. Validity check d. Limit check

58. A control feature in an electronic data processing system

requires the central processing unit (CPU) to send signals to the
printer to activate the print mechanism for each character. The
print mechanism, just prior to printing, sends a signal back to the
CPU verifying that the proper print position has been activated.
This type of hardware control is referred to as
a. Echo check c. Signal control
b. Validity control d. Check digit control

59. Which of the following is an example of a check digit?

a. An agreement of the total number of employees to the total
number of checks printed by the computer.
b. An algebraically determined number produced by the other
digits of the employee number.
c. A logic test that ensures all employee numbers are nine
digits.
d. A limit check that an employee’s hours do not exceed 50
hours per work week.

60. In a computerized system, procedure or problem-oriented

language is converted to machine language through a(an)
a. Interpreter b. Verifier c. Compiler d. Converter
61. A customer erroneously ordered Item No. 86321 rather than
item No. 83621. When this order is processed, the vendor’s
EDP department would identify the error with what type of
control?
a. Key verifying c. Batch total
b. Self-checking digit d. Item inspection

62. The computer process whereby data processing is performed

concurrently with a particular activity and the results are
available soon enough to influence the course of action being
taken or the decision being made is called:
a. Random access sampling c. On-line, real-time system
b. Integrated data processing d. Batch processing system

63. Internal control is ineffective when computer department

personnel
a. Participate in computer software acquisition decisions.
b. Design documentation for computerized systems.
c. Originate changes in master file.
d. Provide physical security for program files.

64. Test data, integrated test data and parallel simulation each
require an auditor to prepare data and computer programs.
CPAs who lack either the technical expertise or time to prepare
programs should request from the manufacturers or EDP
consultants for
a. The program Code c. Generalized audit software
b. Flowchart checks d. Application controls
65. Which of the following best describes a fundamental control
weakness often associated with electronic data processing
system?
a. EDP equipment is more subject to system error than manual
processing is subject to human error.
b. Monitoring is not an adequate substitute for the use of test
data.
c. EDP equipment processes and records similar transactions in
a similar manner.
d. Functions that would normally be separated in a manual
system are combined in the EDP system like the function of
programmers and operators.

66. Which of the following tasks could not be performed when

using a generalized audit software package?
A. Selecting inventory items for observations.
B. Physical count of inventories.
C. Comparison of inventory test counts with perpetual records.
D. Summarizing inventory turnover statistics for obsolescence
analysis.

67. All of the following are “auditing through the computer”

techniques except
a. Reviewing source code c. Automated tracking and
mapping
b. Test-decking d. Integrated test facility

68. The output of a parallel simulation should always be

a. Printed on a report.
B. Compared with actual results manually.
C. Compared with actual results using a comparison program.
D. Reconciled to actual processing output.
69. Generalized audit software is a computer-assisted audit
technique. It is one of the widely used technique for auditing
computer application systems. Generalized audit software is
most often used to
a. Verify computer processing.
B. Process data fields under the control of the operation
manager.
C. Independently analyze data files.
D. Both a and b.

70. From an audit viewpoint, which of the following represents a

potential disadvantage associated with the widespread use of
microcomputers?
A. Their portability.
B. Their ease of access by novice users.
C. Their easily developed programs using spreadsheets which
do not have to be documented.
D. All of the above.

71. Which of the following functions would have the least

effect on an audit if it was not properly segregated?
A. The systems analyst and the programmer functions.
B. The computer operator and programmer functions.
C. The computer operator and the user functions.
D. The applications programmer and the systems programmer.
 72. To obtain evidence that user identification and password
control procedures are functioning as designed, an auditor would
most likely
a. Attempt to sign on to the system using invalid user
identifications and passwords.
B. Write a computer program that simulates the logic of the
client’s access control software.
C. Extract a random sample of processed transactions and
ensure that the transactions were appropriately authorized.
D. Examine statements signed by employees stating that they
have not divulged their user identifications and passwords to any
other person.

SUGGESTED ANSWERS 1. D 2. D 3. D 4. D 5. D 6. D 7.
D 8. D 9. A 10. D 11. B 12. B 13. A 14. D 15. A 16. D 17.
D 18. A 19. B 20. A 21. D 22. B 23. A 24. A 25. D 26. C
27. A 28. D 29. D 30. A 31. A 32. A 33. C 34. C 35. A 36.
B 37. A 38. C 39. C 40. D 41. D 42. D 43. A 44. B 45. A
46. A 47. B 48. B 49. D 50. D 51. A 52. D 53. D 54. D 55.
D 56. D 57. D 58. D 59. D 60. D 61. D 62. A 63. C

QUIZZERS 1. B 2. C 3. D 4. C 5. C 6. D 7. C 8. D 9. D
10. B 11. B 12. D 13. B 14. B 15. D 16. C 17. A 18. A 19.
B 20. B 21. C 22. C 23. D 24. D 25. A 26. B 27. B 28. A
29. B 30. A 31. D 32. D 33. D 34. A 35. A 36. C 37. B 38.
C 39. D 40. C 41. B 42. B 43. A 44. C 45. D 46. C 47. A
48. C 49. A 50. A 51. A 52. C 53. D 54. D 55. C 56. C 57.
B 58. A 59. B 60. C 61. B 62. C 63. C 64. C 65. D 66. B
67. A 68. B 69. C 70. B